State Laws

Prior to student data privacy taking off as an issue in 2014, many states had preexisting privacy laws. Some states have privacy laws that are not specific to education but still affect educational data. For example, 10 state constitutions have recognized a right to privacy,[1] and many more have general privacy protections in place for their citizens. These laws affect students, teachers, schools, and districts. Many states have specific laws regarding the disposal of records that contain personal information.[2] Some states also require government entities to have a written privacy policy in place.[3] And some, such as California, require government agencies to have a specific person responsible for compliance with privacy law.[4]

States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA;[5] 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.

The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.

Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.

SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.

[1] “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.

[2] “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.